b'                  U.S. G O V E R N M E N T\n             =\'   P R I N T I N G OFFICE\n                  KEEPING AMERICA INFORMED\n\n\n\n\nASSESSMENT\n             FEDERAL DIGITAL SYSTEM (FDSYS)\nREPORT       INDEPENDENT VERIFICATION AND\n09-04         VALIDATION (IV&V) - SECURITY\n                   ANALYSIS REPORT\n                       December 24,2008\n\x0c                          U.S. GOVERNMENT\n\n              -           KEEPING AMERICA INFORMED                OFFICE OF THE INSPECTOR GENERAL\n                          WASHINGTON, DC 20401\n\n\n\n\n    DATE:      December 24,2008\n\nREPLY TO\n ATTN OF: Assistant Inspector General for Audits and Inspections\n\n SUBJECT: Federal Digital System (FDsys) Independent Verification and\n          Validation (IV&V) - Final Security Analysis Report\n          Report Number 09-04\n\n      TO:      Chief Information Officer\n\n\n      The GPO Office of Inspector General (OIG) is conducting independent verification and\n      validation (IV&V) of GPO\'s Federal Digital System (FDS~S)\'      implementation. The OIG\n      contracted with American systems2to conduct IV&V for the public release of FDsys\n      Release 1.c.) As part of its contract with the OIG, American Systems is assessing the\n      state of program management, technical, and testing plans and other efforts related to the\n      rollout of Release 1.C. One tasking is to evaluate security planning and implementation.\n      The attached report prepared by American Systems is intended to provide a high-level\n      assessment of the most recent version of the FDsys System Security Plan (SSP).\n      Appendix A provides more detailed findings on the SSP. The assessment results were\n      briefed to the Chief Information Officer and the Chief Information Security Officer on\n      November 5,2008.\n\n      Section 6 of the report contains five recommendations designed to strengthen FDsys\n      system security planning and implementation. Management concurred with each of the\n      five recommendations. We consider the actions proposed by management responsive to\n      each of the recommendations. Management\'s response is included in its entirety in\n      Appendix B of the report. The recommendations are resolved and will remain open until\n      management has completed actions and the IV&V team has completed follow-up work.\n\n      \' The FDsys program is a multimillion dollar effort that GPO is funding and managing to modernize the\n      GPO information collection, processing, and dissemination capabilities it performs for the three branches of\n      the Federal Government.\n        American Systems, located in Chantilly, Virginia, is a large information technology company with\n      significant experience in the realm of IV&V for Federal civilian and Defense agencies, including the\n      Department of State, the Navy, and the U.S. Agency for International Development.\n        ~mericanSystems IV&V methodology is referenced to the framework established by the Institute of\n      Electrical and Electronic Engineers (IEEE) Standard 1012-2004, the IEEE Standard for Software\n      Verification and Validation.\n\x0cThe status of each recommendation upon issuance of this report is included in Appendix\nC. The final report distribution is in Appendix D.\n\nIf you have questions concerning this report or the IV&V process, please contact\nMr. Brent Melson, Deputy Assistant Inspector General for Audits and Inspections at\n(202) 5 12-2037, or me at (202) 5 12-2009.\n\n\n\n\nKevin J. Carson\nAssistant Inspector General for Audits and Inspections\n\nAttachment\n\ncc:\nChief of Staff\nChief Acquisition Officer\nChief Management Officer\nChief Technology Officer\n\x0c                             IV&V TASK REPORT\nTO:              Brent Melson, COTR\nFROM:            IV&V, Jon Valett\nIV&V OF:         GPO FDsys System Security Plan (Version 2.1 - Doc Number DCN 7024227)\nSUBJECT:         Task 5.4.3.3 FDsys Security Analysis (Revised Final - Doc. No. 01-048)\nDATE:            November 6,2008\nCC:              Dan Rose, David Harold, John Best, Chris Paw, Shawn OYRourke,Mark\n                 LoGalbo\n\n\n1. Description of Task\n\nIndependent Verification and Validation (IV&V) performed a second assessment of the\nGovernment Printing Ofice (GPO) FDsys System Security Plan (SSP) and its\napplicability to the FDsys program. Specifically, IV&V reviewed the:\n\n        GPO FDsys System Security Plan, 12 September 2008 version 1.0\n        GPO FDsys System Design Document, 5 September 2008 version 2.0\n\n2. Summary of Task Results\n\nGPO FDsys PMO now has the responsibility for the development of the GPO FDsys\nSSP. In reviewing the GPO FDsys SSP, the following policy, standards and guides were\nused:\n\n       FIPS 199, Standards for Security Categorization of Federal Information and\n       Information Systems\n       FIPS 200, Minimum Security Requirements for Federal Information and\n       Information Systems\n       NIST SP 800-18, Guide for Developing Security Plans for Federal Information\n       Systems\n       NIST SP 800-30, Risk Management Guide for Information Technology Systems\n       NIST SP 800-37, Guide for the Security Certification and Accreditation of\n       Federal Information Systems\n       NIST SP 800-53, Recommended Security Controls for Federal Information\n       Systems\n       GPO Directive 825.33A, Information Technology (IT) Security Program\n       Statement of Policy\n\nThe previous IV&V report was delivered on 15 April 2008 and was conducted on the\ninitial SSP. The initial SSP did not detail any security controls in accordance with NIST\nSP 800-53. Since this time, it is apparent that a positive effort to include relevant security\ncontrols has been made and the current SSP is a greatly improved document. While this is\n\x0can improvement, the N & V findings suggest that the current GPO FDsys SSP still does\nnot adequately detail the security controls in place, or those planned to be in place for the\nprotection of the confidentiality, integrity, and availability of the systems data and\nassociated resources.\n\n3. Summary of Anomalies and Resolutions\n\nNo anomaly reports were written as a result of this task.\n\n\n4. Assessment of Quality\n\nThe task assessed the GPO FDsys SSP and the System Design Document to determine if\nthe content of the document provided an adequate security strategy. Based on this\nassessment, IV&V has drawn the following conclusions.\n\n         The SDD appears to be a comprehensive system level document, but lacks some\n         security architecture details. It is unclear from the diagram (figure 11.2-1) what\n         the data flow is from external interfaces. Two firewalls are depicted on the\n         hardware diagram, but no detailed information as to the type of firewall, make or\n         model is included. It is understood that these may not be part of the certification\n         boundary, but information regarding these devices will be necessary to determine\n         the level of risk exposed to FDsys.\n\n         Assuming a December 2008 deployment, the program may not currently have the\n         resources with sufficient time to complete the GPO FDsys SSP.\n\n         The GPO FDsys SSP has had much of the detailed functional data removed as\n         recommended in the previous report, but still does not provide an adequate\n         description of the.security controls either in place, or planned for FDsys. The\n         Management, Operational and Technical control headers have been included and\n         some controls have been adequately answered. There are however a considerable\n         number of controls that have either not been answered, or lack sufficient detail.\n         This system has been classified as a high-impact system 4and as a result, there are\n         numerous control enhancements that must be included in the design of FDsys.\n\n         The last SSP review that was conducted on 15 April, noted that the SSP version\n         was 2.1. The latest version (12 September) is listed as 1.O. The document version\n         control now starts at 0.9, with no mention of the previous versions of this\n         document.\n\n\n\n\n The potential impact of a system is high if the loss of confidentiality, integrity, or availability could be\nexpected to have a severe or catastrophic adverse effect on organizational operations, organizational assets,\nor individuals.\n\x0c        The GPO FDsys SSP still does not identify the Authorizing Official, Certification\n       Authority, or the Information System Security Officer. It is worthy to note that as\n       FDsys has been classed as a high-impact system, the Certification\n       AuthorityIAgent will need to be an independent third-party with no perceived or\n       actual connection to the system.\n\n       It is still unclear from the GPO FDsys SSP what the exact boundary of the system\n       is. There is mention of several internal and external connections, but the SSP does\n       not detail if any of these are part of their boundary and if not, if there are currently\n       any Memorandum of Agreements in place.\n\n       The general description of this system in the SSP is unclear and somewhat\n       confusing. There does not need to be a lengthy technical description of the\n       system, as references to the System Design documents can be made, there does\n       however need to be a high level functional description of what the system is, its\n       function, users and when it is planned for production.\n\n       The SSP\'S main function is to describe the baseline security controls in place, or\n       intended to be in place once the system is operational. The current SSP is difficult\n       to decipher when trying to establish if all controls have been met. When writing\n       statements to satisfy a particular control, it is strongly advised to list that control\n       number and any required control enhancements.\n\nPlease see Attachments at the end of this report for a detailed list of comments against\nthe GPO FDsys Systems Security Plan (SSP).\n\n\n5. Identification and Assessment of Technical and Management Risks\n\nThe above results create the following potential risks:\n\n       The confidentiality, integrity and availability protection of FDsys is critical for\n       successful operational purposes, regulatory compliance and public confidence.\n       The purpose of the GPO FDsys SSP is to provide an overview of the security\n       requirements of the system and describe the controls in place or planned for\n       meeting those requirements. This system has been categorized as a high-impact\n       system in accordance with FIPS 199. As a result there are a number of control\n       enhancements that must be addressed above the normal baseline controls. If not\n       adequately answered, it would likely lead to a Denial of Authority To Operate\n       (DATO) from the Authorizing Official.\n\n       The GPO FDsys SSP fails to clearly and concisely provide sufficient detail for the\n       Certification Authority and the Authorizing Official to base their initial\n       acceptance and agreement of the security posture and residual risk associated with\n       FDsys. Failure to clearly define the complete system architecture and associated\n       security controls puts the system receiving a final Approval To Operate (ATO) in\n\x0c      jeopardy and therefore delays the operational deployment to the GPO\n      stakeholders, and the public.\n\n\n6. Recommendations\n\nIV&V recommends the following:\n\n   1. GPO FDsys PMO follows the NIST SP 800-37 for a successful process in which\n      to ensure the system receives an ATO. The C&A process is a team process and\n      clear responsibilities need to be documented.\n\n   Management\'s Response. Concur. The C&A process, when it is performed for the\n   FDsys system, will use a team oriented approach, and the roles and responsibilities of\n   the parties will be documented. The complete text of management\'s response is in\n   Appendix B.\n\n   Evaluation of Management\'s Response. Management\'s proposed actions are\n   responsive to the recommendation. The recommendation is resolved, but will remain\n   undispositioned and open for reporting purposes until corrective actions are verified\n   by the IV&V team.\n\n   2. Although the majority of the functional description in the original GPO FDsys\n      SSP has been removed, there still needs to be a clearer, more detailed version of\n      the system description, users, information flow, dependencies, security\n      requirements, and security features.\n\n  Management\'s Response. Concur. IT&S agrees to enhance the document to\n  address these recommendations (see Appendix B).\n\n  Evaluation of Management\'s Response. Management\'s proposed actions are\n  responsive to the recommendation. The recommendation is resolved, but will remain\n  undispositioned and open for reporting purposes until corrective actions are verified\n  by the IV&V team.\n\n  3. The NIST SP 800-53 should be used extensively as a guide to establish the\n     required baseline security controls GPO FDsys will need to incorporate, or accept\n     the risk. The document should list each control number and title and then a\n     response as to how the control is implemented, or planned to be implemented\n     should follow.\n\n  Management\'s Response. Concur. The FDsys SSP already lists HIGH NIST-53A\n  security controls as required. The GPO Risk Assessment template, which complies\n  with NIST SP 800-26, will provide the recommended information. The FDsys Risk\n\x0cAssessment is in the process of creation now and is planned for completion in\nDecember 2008 to meet the requirements of the GPO C&A process (see Appendix\nB).\n\nEvaluation of Management\'s Response. Management\'s proposed actions are\nresponsive to the recommendation. The recommendation is resolved, but will remain\nundispositioned and open for reporting purposes until corrective actions are verified\nby the IV&V team.\n\n4. Any connection to systems outside of FDsys needs to be thoroughly documented.\n   For any connections that are made to other systems inside GPO, there should be a\n   Memorandum of UnderstandingJAgreement. For any connections to systems\n   outside of GPO, there should be an Interconnection Security Agreement (ISA).\n\nManagement\'s Response. Concur. MOUIMOAs will be prepared for the general\nsupport systems and major applications that FDsys interfaces to within GPO. An ISA\nwill be completed for the ILS, which is the only external system interface. IT&S\nplans to complete these activities in December 2008, to support the C&A process for\nFDsys (see Appendix B).\n\nEvaluation of Management\'s Response. Management\'s proposed actions are\nresponsive to the recommendation. The recommendation is resolved, but will remain\nundispositioned and open for reporting purposes until corrective actions are verified\nby the IV&V team.\n\n5. Update the SSP to respond to the detailed comments provided in the Attachment\n   to this report.\n\nManagement\'s Response. Concur. IT&S will provide a detailed matrix of intended\nupdates to the FDsys SSP. IT&S plans to provide that to the OIG in December 2008,\nand to update the SSP accordingly (see Appendix B).\n\nEvaluation of Management\'s Response. Management\'s proposed actions are\nresponsive to the recommendation. The recommendation is resolved, but will remain\nundispositioned and open for reporting purposes until corrective actions are verified\nby the IV&V team.\n\x0c                             Appendix A.\n                    IV&V Document Review Comments\n\nDocument Reviewed: GPO FDsys System Security Plan (dated 12 September 2008)\nDate of Review Comments: 27 October 2008\nConducted by: Mark LoGalbo\n\n     Item Page         ParaISection #                      Comments\n      #       #\n 1        NIA     General                     This system has been classified as\n                                              Sensitive But Unclassified (SBU);\n                                             therefore correct document labeling\n                                             should be followed in accordance with\n                                             relevant GPO policy. Recommend the\n                                             document should be labeled, "For\n                                             Official Use Only (FOUO)" on every\n                                             page and correct handling instructions\n                                             added to the front cover.\n                  Signature Page             It is unclear who is responsible for the\n                                             system, based on the roles currently\n                                             listed on the SSP signature page. The\n                                             signature page is still missing the\n                                             signature line for the Authorizing\n                                             Official (AO), Certification\n                                             AuthorityIAgent (CA), Information\n                                             System Security Officer (ISSO), and\n                                             the System Owner. The signature page\n                                             currently has six people listed and\n                                             some of these are probably the\n                                             identified missing signatories (e.g., the\n                                             CIO is probably the AO, but looks like\n                                             the CIO could also be the system\n                                             owner?), but is not clear.\n.3        3       Document Version Control   The version control on this SSP starts\n                                             at 0.9. The previous records depicting\n                                             what was changed in the SSP needs to\n                                             be kept as a record of change.\n          6       1.1 -1.5 (System           This section is greatly improved from\n                  Identification)            the last review, however the A 0 and\n                                             CA is still missing and are key\n                                             members of the Certification and\n                                             Accreditation (C&A) management\n                                             team.\n5         8       1.6 (System Purpose and    The general description of FDsys is\n                  Description)               still disconnected and somewhat\n                                             confusing. This section should be a\n                                             very high explanation of what the\n                                             system purpose, capabilities, users,\n\x0cDate of Review Comments: 27 October 2008\n\n\n\n\n                                           should be written for a non-technical\n                                           reader, with no prior knowledge of the\n                                           system. In the prior report the\n                                           following example was given: "GPO\'s\n                                           Future Digital System (FDsys) system\n                                           is currently under development and\n                                           does not currently store, or process\n                                           government data apartfrom test data.\n                                            m e n operational it will reside on the\n                                           GPO communications network and\n                                           will be a world-class systemfor\n                                           managing official Government content.\n                                           FDsys will automate the collection and\n                                           dissemination of electronic\n                                           informationfrom all three branches of\n                                           government. The system will verzfi and\n                                           track versions, assure authenticity,\n                                           preserve content, andprovide\n                                           permanent public access. The system\n                                           will be Rules based, Policy neutral,\n                                           Modular and adaptable. The\n                                           information contained within the\n                                           system will be permanently available\n                                           in electronicformat, authenticated and\n                                           versioned, accessiblefor Web\n                                           searching, viewing, downloading and\n                                           printing, and availablefor\n                                           conventional and on-demand\n                                           printing". FDsys will be built to\n                                           include all known Federal Government\n                                           publications falling within the scope of\n                                           GPO\'s Federal Depository Library\n                                           Program (FDLP), including text,\n                                           graphics, video, audio, numeric, and\n                                           other emergingforms of content.  "\n\n6         8      1.6 (System Purpose and   The accreditation boundary is still\n                 Description)              unclear for the system. Recommend\n                                           adding a section that explains what the\n                                           accreditation boundary is limited to.\n\x0c Appendix A\n\nI Document Reviewed: GPO FDsys System Security Plan (dated 12 September 2008)\n Date of Review Comments: 27 October 2008\n Conducted by: Mark LoGalbo\n\n    Item                                                        Comments\n      #\n                                                  An example may include: "The\n                                                  accreditation boundary is limited to the\n                                                  FDsys Major Application which includes\n                                                  firewalls, switches, workstations, printers,\n                                                  web servers, file servers, and other devices\n                                                  connected to the network as identified in\n                                                  the hardware equipment list in Appendix\n\n\n                                              Recommend moving the system\n                                              diagram in section 5.1 and placing it\n                                              into the accreditation boundary\n                                              section. This will be useful when\n                                              explaining the accreditation boundary\n                                              and should be easier for the reader to\n                                              follow. The boundary should match\n                                              both the diagram and the hardware list.\n                                              There are a couple of firewalls\n                                              depicted in the diagram and if they are\n                                              in the accreditation boundary then\n                                              explain and if not, also need to explain\n                                              that they are part of another system\n                                              and whether that system has a current\n                                              Approval To Operate.\n                  1.6.4 (System               Internal interfaces have been listed as\n                  Interconnection~Infonnation the Integrated Library System (ILS)\n                  Sharing)                    and the Enterprise Service Bus (ESB).\n                                              The section states that these are\n                                              components of the FDsys. It is unclear\n                                              if these components are part of the\n                                              FDsys accreditation boundary, or\n                                              covered under a separate System\n                                              Security Plan (SSP).\n\n                                              1   The external interfaces need to be\n                                                  explained in more detail.\n                                                         How do these external\n                                                         interfaces communicate with\n                                                         the system and why?\n                                                         If they are another separate\n\x0c                                                                         Appendix A\n\nDocument Reviewed: GPO FDsys System Security Plan (dated 12 September 2008)\nDate of Review Comments: 27 October 2008\n\n\n\n\n                                                      system, is there a\n                                                     Memorandum of Agreement\n                                                                          -          or\n                                                      similar in place?\n                                                     Are the other system currently\n                                                     accredited\n                 Management, Operational     These sections are currently difficult ti\n                 and Technical Controls      assess if all base-line controls have\n                                            been included at the correct high -\n                                            watermark. Recommend that each sub\n                                             section has the NIST SP 800-53\n                                             control number listed and the control\n                                            name. This will make it easier for the\n                                             certifier and also make it easier for the\n                                             author to ensure that no controls are\n                                            missed. An example would be: 2.1\n                                            Risk Assessment (RA)\n                                            2.1.1 Risk Assessment Policy and\n                                            Procedures (RA-1)\n                 2.1 (Risk Assessment and   This section should cover security\n                 Risk Management)           controls RA-1 thru RA-5(1)(2). The\n                                            description references GPO directive\n                                            825.33A, but does not state if an actual\n                                            risk assessment has been performed at\n                                            this stage. There are some general risk\n                                            descriptions and threat descriptions,\n                                            but there are no risk levels (high,\n                                            medium, low), or likelihood associated\n                                            with them. Recommend utilizing the\n                                            NIST SP 800-30 to assist with this\n                                            section.\n                 2.1 (Risk Assessment and   Security control RA-5(Vulnerability\n                 Risk Management)           Scanning) has not been answered in\n                                            the SSP. As this is a high system,\n                                            control enhancements RA-5(1) and\n                                            RA-5(2) also need to be addressed.\n                 2.3 thru 2.4.5             These sections are discussing the\n                                            security controls for Planning (PL).\n                                            There are some controls missing that\n                                            should either be in place, or intended\n                                            to be in place for this system. There is\n\x0c                                     very generic and needs to include\n                                     detail as to how the system will meet\n                                     these controls. Some details to include\n                                     are:\n                                              What is the frequency of the\n                                              security assessments and when\n                                             is the first one scheduled?\n                                             What are the risk\n                                              considerations from external\n                                              connections?\n                                             Has an independent certifier\n                                             been identified for the system?\n                                             Has a Plan of Action and\n                                             Milestones (POA&M)\n                                              document been created yet?\n                                             There could already be open\n                                             items discovered from the risk\n                                              assessment.\n                                             Has the Authorizing Official\n                                             been identified?\n                                             How will continuous\n                                             monitoring be put in place for\n                                             this system and what activities\n                                              are planned to be included?\n13   NIA   2 (Management controls)   The System and Services Acquisition\n                                     (SA) controls have not been included\n                                     within this section.\n14   25    3.1 (Personnel Security   The following controls are missing\n           Controls)                 detail in this section:\n                                             Personnel Security Policy and\n                                             Procedures (PS-1). Is there a\n                                             current GPO policy that covers\n                                             this control?\n                                             Position Categorization (PS-2).\n\x0c                                                                Appendix A\n\n\n\n\n                                            categorization and if so what\n\n                                              Third-Party Personnel Security\n                                              (PS-7). Need to discuss how\n                                             the agency meets this control.\n15   26   3.2 (Physical and          This section needs to include more\n          Environmental Protection   detail regarding PE- 1 thru PE-19\n          Controls)                  security controls. Items to be\n                                     addressed include:\n                                             Physical access to the system.\n                                             Where islwill the system be\n                                             located, is it in a server room,\n                                             air conditioned etc?\n                                             How is the facility monitored.\n                                             Are there cameras, alarms,\n                                             armed guards?\n                                             Are there real-time intrusion\n                                             alarms (PE-6(1) and PE-6(2))?\n                                             Are visitor access records\n                                             maintained and do they meet\n                                             the requirements of security\n                                             control PE-8, PE-8(1), and PE-\n                                             8(2)?\n                                             How does the organization\n                                             protect power\n                                             equipmentlcabling from\n                                             damage or destruction?\n                                             Discuss emergency shutoff for\n                                             the system\n                                             Discuss emergency power for\n                                             both short term\n                                             (unintermptible) and long term\n                                             alternate power supply\n                                             Discuss emergency lighting\n                                             Discuss fire protection,\n                                             including automatic detection\n                                             and notification, and fire\n                                             suppression devices\n\x0cAppendix A\n\n\n\n\n                                                humidity controls for the\n\n                                                 How does the system protect\n                                                 against water damage?\n                                                 Discuss how delivery and\n                                                 removal of IT equipment is\n                                                 achieved\n                                                 Is there an alternate work site?\n                                                 Explain information leakage\n                                                 protection\n16      27     3.3 (Production Input 1   This section appears to be relating to\n               Output Controls)          Media protection (MP) controls. There\n                                         needs to be greater detail explaining\n                                         the GPO media protection\n                                         policy/procedures, access, labeling,\n                                         storage, transportation, and finally\n                                         sanitization and disposal.\n17      27     3.4 (Incident Response    It is OK to reference the GPO\n               Capability)               Computer Security incident Response\n                                         Team (CSIRT) procedure document in\n                                         this section, but it is strongly advised\n                                         the Information Assurance Officer\n                                         (LAO) for FDsys ensures that the\n                                         document and GPO CSIRT procedures\n                                         meet all the controls relating to IR-1\n                                         thru IR-7, paying particular attention\n                                         to the enhancement requirements.\n18      28-29 3.7 (Security Awareness    This section provides a good overview\n              and Training)              of user awareness training, but does\n                                         not have any information to support\n                                         the following controls under\n                                         Awareness and Training (AT):\n                                                 Security Training (AT-3). Need\n                                                 to discuss how security staff\n                                                 are identified and receive\n                                                 specialized training (NIST SP\n                                                 800-50)\n                                                 Security Training Records\n\x0c                                                                            Appendix A\n\n\nDocument Reviewed: GPO FDsys System Security Plan (dated 12 September 2008)\nDate of Review Comments: 27 October 2008\nConductec by: Ma .k LoGalbo\n\n   Item               ParaISection #         I                Comments\n     #      #\n                                                         (AT-4). Need to discuss how\n                                             1           training records are kept and\n                                             1           how you monitor users training\n                                                         needslrequirements\n                 3 (Operational Controls)        There are no Configuration\n                                                 Management ( ~ ~ j c o n t r olisted\n                                                                                 l s in\n                                                 this section. The following need to be\n                                                 addressed as either in-place, planned,\n                                                 or inherited:\n                                                         Configuration Management\n                                                         Policy and Procedures (CM- 1)\n                                                         Baseline Configuration (CM-2)\n                                                         (1) (2)\n                                                         Configuration Change Control\n                                                         0 4 - 3 1 (1)\n                                                         Monitoring Configuration\n                                                         Changes (CM-4)\n                                                         Access Restriction for Change\n                                                         (CM-5) (1)\n                                                         Configuration Settings (CM-6)\n                                                         (1)\n                                                         Least Functionality (CM-7) (1)\n                                                         Information System\n                                                         Component Inventory (CM-8)\n                                                          (1) (2)\n                  3 (Operational Controls)       There are no Contingency Planning\n                                                 (CP) controls listed in this section. The\n                                                 following need to be addressed as\n                                                 either in-place, planned, or inherited:\n                                                          Contingency Planning Policy\n                                                          and Procedures (CP-1)\n                                                          Contingency Plan (CP-2) (1)\n                                                          (2)\n                                                          Contingency Training (CP-3)\n                                                          (1)\n                                                          Contingency Plan Testing and\n                                                          Exercises (CP-4) (1) (2)\n                                                          Contingency,PlanUpdate (CP-\n\x0cAppendix A\n\n\n\n\n                                                 Telecommunications Services\n                                                 (CP-8) (1) (2) (3) (4)\n                                                 Information System Backup\n                                                 0 - 9 ) (1) (2) (3) (4)\n                                                 Information System Recovery\n                                                 and Reconstitution (CP-10) (1)\n21      NIA   3 (Operational Controls)   There are no Maintenance (MA)\n                                         controls listed in this section. The\n                                         following need to be addressed as\n                                         either in-place, planned, or inherited:\n                                                 System Maintenance Policy\n                                                 and Procedures (MA-1)\n                                                 Controlled Maintenance (MA-\n                                                 2) (1) (2)\n                                                 Maintenance Tools (MA-3) (1)\n                                                 (2) (3)\n                                                 Remote Maintenance (MA-4)\n                                                 (1) (2) (3)\n                                                 Maintenance Personnel (MA-5)\n                                                 Timely Maintenance (MA-6)\n22      NIA   3 (Operational Controls)   There are no System and Information\n                                         Integrity (SI) controls listed in this\n                                         section. The following need to be\n                                         addressed as either in-place, planned,\n                                         or inherited:\n                                                 System and Information\n                                                 Integrity Policy and Procedures\n                                                 (SI-1)\n                                                 Flaw Remediation (SI-2) (1)\n                                                 (2)\n                                                 Malicious Code (SI-3) (1) (2)\n                                                 Information System\n                                                 Monitoring Tools and\n                                                 Techniques (SI-4) (2) (4) (5)\n                                                 Security Alerts and Advisories\n\x0c                                                                  Appendix A\n\n\n\n\n                                                Security Functionality\n                                                Verification (SI-6)\n                                                Software and Information\n                                                Integrity (SI-7) (1) (2)\n                                                Spam Protection (SI-8) (1)\n                                                Information Input restrictions\n                                                (SI-9)\n                                                Information Accuracy,\n                                                Completeness, Validity, and\n                                                Authenticity (SI-10)\n                                                Error Handling (SI-11)\n                                                Information Output Handling\n                                                and Retention (SI-12)\n23   29     4.1.1 (Inactive User IDS)   The paragraph states that inactive user\n                                        accounts are disabled after a specific\n                                        time (e.g., six or twelve months) in\n                                        accordance with GPO Directive\n                                        825.33A. There needs to be specifics\n                                        and not examples. The 825.33A does\n                                        not currently specify a inactive time\n                                        &me.\n24   29     4.1.2 (Authentication)      As FDsys is a high system, there is a\n                                        need for multi factor identification to\n                                        meet the IA-2 control enhancements 2\n                                        and 3. This needs to be at the level 4\n                                        when consulting the NIST SP 800-63.\n                                        This section discusses internal users,\n                                        but what about public credentials?\n                                        Will the system have digital\n                                        certificates and/or session based\n                                        cookies etc?\n25   29-32 4 (Technical Controls)       There is a large portion of the Access\n                                        Controls (AC) deficient. Most of the\n                                        lower AC controls (AC- 1 thru AC-7)\n                                        have been addressed, but the\n                                        remaining controls (AC-8 thru AC-20)\n                                        need to be documented. Particular\n                                        attention needs to be made to the\n\x0cAppendix A\n\nDocument Reviewed: GPO FDsys System Security Plan (dated 12 September 2008)\nDate of Review Comments: 27 October 2008\nConducted bv: Mark LoGalbo\n\n\n      #   l#l\n     Item Page        ParaISection #                      Comments\n\n                                            control enhancements as this is a high\n                                            svstem.\n26        32     4.7 (Audit Trails)         This section is inadequate to answer\n                                            the Audit and Accountability (AU)\n                                            controls. Items that need to be\n                                            addressed include:\n                                                    Is there a GPO policy that\n                                                    addresses Audit Trails\n                                                    (825.33A)?\n                                                    What are auditable events for\n                                                    FDsys?\n                                                    How often are these auditable\n                                                    events reviewed?\n                                                    Are sufficient audit records\n                                                    kept that can capture sufficient\n                                                    information to establish what\n                                                    events occurred?\n                                                    Are the audit records centrally\n                                                   managed. ..CCIRT?\n                                                    Is there sufficient audit storage\n                                                    allocated for FDsys?\n                                                   Does FDsys alert appropriate\n                                                    staff in the event of an audit\n                                                   processing failure and is it a\n                                                   real time alert (needed for a\n                                                   high system)?\n                                                   How often does the\n                                                   organization review and\n                                                    analyze the audit logs?\n                                                   Does FDsys provide audit\n                                                   reduction and report generation\n                                                   tools that support after-the-fact\n                                                   investigations of security\n                                                   incidents without altering-\n                                                   original audit records?\n                                            The technical controls for System and\n                                            Communications Protection (SC) are\n                                            missing from this section. Need to\n                                            discuss the current, or planned security\n\x0c                                                                             Appendix A\n\nDocument Reviewed: GPO FDsys System Security Plan (dated 12 September 2008)\nDate of Review Comments: 27 October 2008\nConducted bv: Mark LoGalbo\n\n    Item Page         ParaISection #                          Comments\n     #      #\n                                                controls for SC-1 thru SC-23,\n                                                including all required enhancements\n                                                for a high system.\n          33     5.1 (Appendix A -              The network diagram shows two\n                 Equipment List)            I   firewalls, four Cisco switches, and two\n                                                load balancers that are not accounted\n                                                for on the hardware list. There is also a\n                                                Digital Application Server, a SAN,\n                                                and a NAS storage unit that is listed on\n                                                the hardware list, but not on the\n\n\n\n\n1        1 18   1 2.2 (Review of Security   I Change reference from NIST !\n         1      I Controls)                 I 53A, to NIST SP 800-53. Also\n         I      I                           ( recommend that this section is\n                                                removed and placed as an opening\n                                                statement for the main section 2. It\n                                                makes a good opening remark, but\n                                                does not really fit in its current section.\n                 2.3 thru 2.4.5                 These sections are discussing the\n                                                security controls for Planning (PL).\n                                                Recommend reordering the sections so\n                                                they line up with the controls as\n                                                follows:\n                                                2.3 Planning (PL)\n                                                2.3.1 Security Planning Policy and\n                                                Procedures (PL-1)\n                                                2.3.2 System Security Plan (PL-2)\n                                                2.3.3 System Security Plan Update\n                                                (PL-3)\n                                                2.3.4 Rules of Behavior (PL-4)\n                                                2.3.5 Privacy Impact Assessment (PL-\n                                                5)\n                                                2.3.6 Security-Related Activity\n                                                Planning (PL-6)\n\n                                                Recommend using this format for each\n                                                control grouplfamily.\n\x0cAppendix A\n\n\n\n\n             or no longer used as follows:\n                     SP 800-53 is now Revision 2,\n                     December 2007\n                     SP 800-53A is no longer draft\n                     and is June 2008\n                     SP 800-61 is now Revision 1,\n                     March 2008\n                     SP 800-64 is now Revision 2,\n                     October 2008\n                     SP 800-92 is no longer draft\n                     and is September 2006\n                     NISTPub~.31,73,83,and102\n                     are no longer used\n\x0c           Appendix B. Management\'s Response\n\n\n\n\n                             IT&S Response:\n                Draft OIG IV&V Assessment Report on FDsys\n\n                                 December 10,2008\n\n\n\nIntroduction\n\nThe Office of the Inspector General (OIG) issued a Draft Report on November 25,2008,\nconcerning an Independent Verification and Validation (IV&V) of the FDsys System\nSecurity Plan (SSP).\n\nThis document is the GPO Information Technology and Systems (IT&S) response to the\nOIG recommendations contained in that Draft Assessment Report.\n\n\nOIG Recommendations and IT&S Response\n\nThe OIG IV&V recommendations and IT&S responses to each recommendation are\nlisted below.\n\nOIG Recommendation #I:\n\nThe IV&V recommends that the GPO FDsys PMO follows the NIST SP 800-37 for a\nsuccessful process in which to ensure the system receives an ATO. The C&A process is a\nteam process and clear responsibilities need to be documented.\n\nIT&S Response:\n\nIT&S agrees that SP 800-37 provides a reasonable framework for a C&A process that\ncomplies with GPO IT Security Policy requirements and GPO policy, and further, that\nthe C&A process is a team oriented process. The C&A process, when it is performed for\nthe FDsys system, will use a team oriented approach, and the roles and responsibilities of\nthe parties will be documented.\n\nOIG Recommendation #2:\n\nThe IV&V recommends that although the majority of the functional description in the\noriginal GPO FDsys SSP has been removed, there still needs to be a clearer, more\ndetailed version of the system description, users, information flow, dependencies,\nsecurity requirements and security features.\n\nIT&S Response:\n\x0cIT&S agrees to enhance the document to address these recommendations.\n\n\nOZG Recommendation #3:\n\nThe IV&V recommends that the NIST SP 800-53 should be used extensively as a guide\nto establish the required baseline security controls GPO FDsys will need to incorporate,\nor accept the risk. The document should list each control number and title and then a\nresponse as to how the control is implemented, or planned to be implemented should\nfollow.\n\nIT&S Response:\n\nThe FDsys SSP already lists all HIGH NIST 800-53A security controls as required for\nthe control baseline (this is contained in Appendix A of the SSP). Thus that element of\nthe recommendation is already adequately covered in the FDsys SSP. The GPO R ~ s k\nAssessment template, which complies with NIST SP 800-26, will provide the\nrecommended information, in accordance with the GPO IT Security Policy (GPO\nDirective 825.33A) and GPO SDW, and is the GPO document that will list the\nrecommended state of control implementation or risk acceptance. The Risk Assessment\nfor FDsys is in the process of creation now and is planned for completion in December\n2008, to meet the requirements of the GPO C&A process.\n\nOZG Recommendation M:\n\nThe IV&V recommends that any connections to systems outside of FDsys need to be\nthoroughly documented. For any connections that are made to other systems U G P O ,\nthere should be a Memorandum of UnderstandingIAgreement.For any connections to\nsystems outside of GPO, there should be an Interconnection Security Agreement (ISA).\n\nIT&SResponse:\n\nThe GPO IT Security Policy (GPO Directive 825.33A) does not require MOUIMOA\'s\nbetween GPO systems or major applications. IT&S believes this extra level of\ndocumentation may be worthwhile and will plan to do for the GSS and major applications\nthat FDsys interfaces to within GPO. IT&S agrees that ISA\'s should be performed for\nexternal system interfaces, outside of GPO, and will complete ISA\'s for this purpose. The\nILS is the only system interface of that type for FDsys at this time. IT&S plans to\ncomplete these activities in December 2008, to support the C&A process for FDsys.\n\nOZG Recommendation #5:\n\nThe IV&V recommends that the SSP be updated to respond to the detailed comments\nprovided in the Attachment to the Assessment report.\n\nZT&S Response:\n\x0c\x0c                 Appendix C. Status of Recommendations\n\n\nRecommendation No.           Resolved   Unresolved   OpenIECD*    Closed\n         1                       X                      TBD\n         2                       X                      TBD\n         3                       X                     12/31/08\n         4                       X                     12/31/08\n         5                       X                     12/31/08\n\n"Estimated Completion Date\n\x0c                      Appendix D. Report Distribution\n\n\nPublic Printer\nChief of Staff\nGeneral Counsel\nChief Acquisition Officer\nChief Management Officer\nChief Technology Officer\n\x0c'